What It Is and How to Fix It
F5 BIG-IP is a popular network appliance used by large companies and government
agencies to manage and secure web traffic. In simple terms, it acts like a smart traffic
controller and security gate for websites and applications. Because BIG-IP handles so
much internet traffic, any security hole in it can be very serious.
What is Remote Code Execution (RCE) and Why Is It Dangerous?
A Remote Code Execution (RCE) vulnerability is a weakness that lets an attacker run
any code they want on the affected device over the network. In practice, an attacker
could send specially crafted messages to the device and make it do almost anything
from stealing data to installing malware. In the case of the F5 BIG-IP flaw, Praetorian’s
advisory explains that exploiting this issue lets “an unauthenticated attacker achieve
full administrative privileges and full remote code execution on the impacted BIG-IP
system”. In other words, a hacker could gain complete control of the BIG-IP device
without needing a password. This is extremely dangerous, because it’s like giving a
stranger the keys to your network’s traffic controller; they could intercept, redirect, or
disrupt all your web traffic.
About CVE-2023-46747 (the F5 Vulnerability)
The vulnerability, tracked as CVE-2023-46747, was discovered in 2023 by security
researchers. In late October 2023, the cybersecurity firm Praetorian publicly disclosed
the flaw (a “zero-day” issue) affecting the BIG-IP Traffic Management User Interface
(TMUI). F5 itself released emergency hotfixes on October 26, 2023. The flaw lets
attackers bypass the TMUI login page and execute commands on the BIG-IP device as
the root user. In practice, this means that if the BIG-IP web interface (TMUI) is exposed
to the internet, anyone who knows about the flaw can send special requests and gain full
control of the system without needing valid credentials.
Security researchers emphasize that all BIG-IP versions with TMUI exposed are
affected. For example, SecPod reports that the vulnerable modules include BIG-IP
17.1.0, 16.1.0–16.1.4, 15.1.0–15.1.10, 14.1.0–14.1.5, and 13.1.0–13.1.5. (Notably, F5
provided official fixes only for versions 15.x, 16.x, and 17.x; the older 13.x and 14.x
lines are past end-of-support and require upgrading to a newer version.) F5’s urgent
advice to customers has been: “update the software to the latest patch” as soon as
possible.
How It Was Discovered
Praetorian’s team found the hole by analyzing the BIG-IP system’s Apache and Java
components for request smuggling issues. In short, they figured out a way to confuse
the BIG-IP’s web front-end so it would treat an unauthenticated request as if it came
from an admin. This lets them create a hidden administrator account and then run
arbitrary commands on the device. The details are technical, but the key takeaway is
that the flaw bypasses authentication entirely. Cybersecurity reports note that the same
misconfiguration was already exploited in 2020 (CVE-2020-5902), and the new
discovery is a similar kind of bypass.
Since the disclosure, security experts have warned that attackers are using
CVE-2023-46747 in the wild. F5 itself issued a warning that this critical vulnerability
“is being actively exploited after its public disclosure”. Palo Alto’s Unit 42 team reports
that a China-linked hacking group (UNC5174) did use CVE-2023-46747 in late 2023 to
add hidden admin users and run commands on compromised BIG-IP systems. In short,
real attacks have happened, so fixing this vulnerability is urgent.
How to Fix the F5 Vulnerability (Patch and Mitigation)
The most important action is to apply F5’s official fix or hotfix immediately. F5
released emergency updates for affected BIG-IP versions on Oct 26, 2023. For example,
F5 advises upgrading to at least BIG-IP 17.1.0.3 (with Hotfix-17.1.0.3.0.75.4) or similar
patched builds for the 16.x and 15.x line. (If you run an older 14.x or 13.x version, the
only option is to upgrade to a supported version that has the fix.) Cybersecurity guides
all strongly recommend applying the security hotfixes provided by F5 for
CVE-2023-46747.
If you cannot apply the full patch right away, F5 and security experts suggest temporary
mitigations. One is to run a fix script that F5 provided. The script blocks the
vulnerability by hardening the TMUI interface.
To run it:
● Download the F5 script from the official F5 security advisory (see F5 KB
K000137353).
● Log in to the BIG-IP appliance via SSH as the root user.
● If needed, rename the downloaded file to end in .sh.
● Make it executable with chmod +x scriptname.sh.
● Run the script on the command line.
This one-time script change closes the hole until you can install a full patch.
(Note: do not run this script on versions before 14.1.0 it may prevent the TMUI from
starting on those old releases.)
Source: https://arcticwolf.com/resources/blog/cve-2023-46747/
https://www.praetorian.com/blog/advisory-f5-big-ip-rce
